lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: BlueBoar at thievco.com (Blue Boar)
Subject: openssl exploit code

Solar Eclipse wrote:
> Whose interests is a full disclosure mailing list supposed to serve? Those of
> blackhats who prefer to keep all 0dayz private, or those of system
> administrators and security professionals who need information about the
> latest exploits? 

Bugtraq has always tried to do the latter.

> The fact is that Dave Ahmad is in a possession of an exploit for
> OpenSSL and is currently withholding it from the security community.
> Maybe his corporate masters fear litigation. Or it could be that
> he is concerned about my feelings. Even TESO didn't get that kind of
> treatment, this makes me feel so special.

TESO got that kind of treatment once, and they whined and threatened, and 
therefore the list moderators were obliged to check when it was obvious 
that someone besides the author was posting some code.  The vuln-dev list 
had to do the same.

> 
> Doesn't this make anybody else uncomfortable?

That's what anonymous remailers and unmoderated forums are for.

> 
> Are you going to subscribe to a full disclosure mailing list
> whose moderator puts Intellectual Property or Corporate Interests
> before the security of your system?

Heh.  Dave is protecting your interests and respecting your wishes in this 
case.  Seems strange to fault him for that. :)

> 
> After a few more corporate mergers and takeovers, are you going to
> send your 0dayz to bugtraq@...rosoft.com ? And wait 45 days for
> moderator approval?

It wouldn't matter.  The people who use Bugtraq would simply go elsewhere.

Far be it from me to suggest that people not try to keep Symantec honest, 
but I think it's a little unreasonable to cry censorship for this 
particular reason.

					BB

Powered by blists - more mailing lists